Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

there have been many closed source projects that have had a great track record for years and didn’t screw over their users.

A good track record of what exactly ? Just because the users aren’t able to determine if the adversary (here, the ones writing the closed-source software) is spying on them and screaming about it on twitter, doesn’t mean the adversary is not actually spying on them through the actual software without them being aware of it.

In any case i’d love to see you guys actually officially suggest people use closed-source software for privacy, it’d be a pleasure to write a blogpost about it from my end, and not in a good way lol

What are you guys going to recommend next ? People should use Windows too ?

We do recommend certain closed source options in certain sections, within good reason.

Again, you are free to have have your own opinion about this and agree with us, we have an open community and try not to be and echo chamber, sacred cows and all that, but I must say I dislike the negative tone and would kindly ask you to tone that down a bit.

P.s. we do not recommend Windows, but we do have Windows recommendations as moving to linux is not feasable for a lot of people.

if you dont mind, where do you guys recommend that closed source software ? i didnt find it

For example.

There are quite a few closed source options that we haven’t officially recommended yet. Most of the journalists and organizations I had worked with relied on software like Tresorit, Threema, or even Apple Notes. Enterprise support is really important for these folks, especially in professional workflows.

For example, I would much rather have a journalist or activist use iOS’ recent voice memo transcription feature because of Advanced Data Protection. There aren’t a lot of good FOSS voice transcription tools that offer seamless encryption and cloud syncing. Not stating that it’s impossible to do so…but it is so much easier telling someone to enable a setting on their iPhone rather than to install and configure FOSS alternatives.

@Niek-de-Wilde

We do recommend certain closed source options in certain sections, within good reason.

From my approach i segment it like that :
-Public use (you are under surveillance when doing something)
-Private use (you are not being watched when doing something)
-Anonymous Use (Your identity isn’t known when doing something)
-Sensitive Use (You can deny having done something)

Just to make sure i’m not misunderstanding the recommendations here, you guys aren’t recommending closed source software (like safari for example) for private use right ? I just dont understand what windows / macos recommendations have to do in “privacy recommendations” as privacy is just not possible to have on those operating systems.

@KevPham

For example, I would much rather have a journalist or activist use iOS’ recent voice memo transcription feature because of Advanced Data Protection.

Oh so it’s OK to use closed-source software for private use if there aren’t other FOSS alternatives ? is that your point ?

I disagree with the approach big time if that’s you guys’ attitude here, just because users are attached to the MacOS/Windows ecosystem doesn’t mean you should spread this massive lie that they can achieve privacy with either of those, because it’s not possible due to the closed-source nature of those OSes.

Really, the first privacy tutorial i wrote is to just get rid of either of those, and to install linux instead, because otherwise privacy will never be a thing for the user on closed-source host OSes, i hope you guys are aware of that, and that you are not trying to mislead your audience (which i have all the respect in the world for) into a false sense of privacy.

Why is privacy not possible for Windows? Especially with Pro and Enterprise versions it is possible using GPOs.

FOSS doesn’t mean it is always secure and private. It only means code can be reviewed by other people but it doesn’t guarantee a fix to a bug or security concern when found.

May I also mention O&O ShutUp10. Mostly this is reserveed for home editions or users who somehow dont have acess to GPOs

My emphasize was on secure use in professional workflows…not private use at home. It all really depends on your threat model. I’m not stating that closed-source tools are always better than open source or vice versa (I in fact prefer FOSS whenever possible) but that specific usage case in the professional world shows an example where closed-souce might be better than open source.

And do you think MS is above the data privacy laws? Just because you are not able to see the source code, doesn’t mean you can’t edit the settings of the OS.

Have you ever tried using group policies? Have you ever worked in an enterprise environment or did system management? Just saying Windows bad Linux good is not helping. I can tell a lot of bugs and vulnerabilities with Linux too, especially SUSE and Redhat servers which I am working on.

If your concern is only telemetry and you don’t want to bother with group policies or registry settings or Windows settings, just use a 3rd party DNS like NextDNS, Control D or Adguard to block them all.

Very simple, you can’t read the sourcecode of your operating system, you don’t have any visibility on what it is doing. So you can’t tell if your operating system isn’t spying on what you’re doing.

Have you ever considered that Linux, BSD etc. Are not necessarily operating systems itself but kernels? For some distros this could be the only “open part” of it, Look at RHE (Red Hat) Linux and especially thier scandal paywalling the source code. It is not a be all and end all for operating systems to be open source and there are many options to limit if not completely disable the telemtry/data collection microsoft does. If not with GPO there’s also the registry that MIcrosoft exposes.

well, Signal operates in the US too, makes no sense. SimpleX also operates in the UK, not the best country too the UK as they have both a good but also the worst privacy law in existence. (at least iirc)

privacy is possible with closed sources (yes there is the “we cant read code so we cant say”) but lets take the words of that anywho, if say KDE was closed source still but still allowed you to disable or customize the telemtry completely, you basically would not trust it to do that? Especially if a software or OS has been audited and that audit includes the data collection practices confirmation which helps even better for the closed source software rather than taking their word for it.
and Again with microsoft opening the registry(to everyone) and Group Policy(to Pro/Enterprise or Education or something), you have full control of the windows operating system anyway which can include removing any annoyances and/or privacy/telemtry/data collection on the deeper level.
again I also mentioned the O&O SHutUp10 tool remember? Edit: yes I can admit im wrong, this is the TPCSC channel one, the one I was talking about was:

That video doesn’t support your argument; it undermines it. Yes, Windows is privacy-invasive by default, but that video only demonstrates how we can transparently see the connections Windows makes and potentially block them at the network level if so desired (in spite of the source code being proprietary).

We try and look at privacy as a journey where you can make gradual improvements, rather than as an all-or-nothing binary.

For example, if someone was using Gmail and Windows, and they switched their email provider to Tuta, that would still be a substantial improvement to their privacy even if they haven’t switched their operating system yet. And maybe it will inspire them to make more private choices including switching to Linux in the future.

In this vein though, we recommend a variety of tools that can be used as alternatives to common software on many platforms, including closed-source ones like Windows and macOS.

This is why we have a strong preference for open-source when possible, but we do also recommend closed-source tools when they are the most private and/or secure available option in the category.

See also: Common Misconceptions - Privacy Guides

Privacy is not 1-0 its a spectrum. We do not recommend windows if one has the choice, but we CAN atleast make recommendations to make it better if you need to use it.

Privacy actually is binary, you’re either being watched or you are not being watched.

You may be watched by 100 different adversaries right now on windows or macos (regardless of how you configure your google chrome or safari), privacy is definitely not there for you

If you’re being watched by one adversary, privacy is also non-existant for you. All it takes is to tolerate the presence of a single closed-source software.

No, Privacy is when you have 0 adversaries watching you right now. The average joe out there may not like it but that’s how it is, there’s no sugarcoating this, you either have a FOSS host OS or you don’t, and obviously every app you use in that OS should be FOSS too.

Just say that any closed-source software you recommend is only suitable for public use and NOT private use, if you really want to be honest to your audience, it’s not complicated

I think we will just have to agree to disagree in this case. We both understand eachothers opinion, but just happen to fundamentally disagree👍

I disagree, Privacy is a spectrum. And the spectrum is about balancing convenience and security/privacy in this case.
As it was said likely countless times already, each individual has vastly different threat models each one taliroing to their own.
Let’s take these:
My threat model consists of trying new privacy tools and of course i favour Open source where I can but I also use a little bit of propriatery where it must or can but it shouldnt break the convinience of using that software. For example I still use spotify, yes its propriatery but whats spotify lite gonna do, sell my music preference? Cool, let the goverment know I listen to my HoYo-Mix jams, I hope they love it! Viber mostly because my family is centered around it but I have requested my data package and I can confirm that by using a pseudonym viber cant trace back to me and have contact + storage scopes, Viber cant simply identify me this way. (I can also just put nothing in my name) so with that I feel comfortable using it thanks to also them finally with GDPR adding control for the personal data and opts all of them out by default (just a few ticks was needed) but I prioritize using Signal over it, rarely do I ever go on the other platform. I Of course also game which 99% of games are proprietary, you seriously think I have time to bother them to open source their game? Hoyoverse would tell me to f**k right off for asking them to open source their game, it’s clearly not happening here.
But despite all of that we can mitigate it, not completely eliminate it. Some exceptions can be made when it comes to elimianting it but point stands. for me the motto is “I have nothing to hide but I have nothing to share” kind of threat model.

A journalist has a far higher threat model than me though which in this case yes they’re likely to need more decentralized or self hostable options and more cautionary tale like using GrapheneOS on a pixel instead of using a stock OS, they would use Home Assistant instead of anything spying wise like chinese vaccum robots that do that etc. and finally options that respect privacy like proton for email for example, mullvad for vpn etc. etc. Which breaks/may break convenience for them but it is at the cost of protecting themselves. Journalists might also need anonymity which is where Tor/Tails and SimpleX’s incognito tend to come in. This is the “Activist” kind of threat model

Finally your average joe likely or maybe has no expectation of Digital Privacy and for that to recommend open source/private alternatives. You’re going to need to give them appealing reasons to do so. Like for example how easy it is to switch or get started on a platform like eg. Proton, Signal and even then make sure the long term viability of them. with OS too, with SteamOS coming to fruition we hope linux in a way adopts to mainstream but its only a hope. And valve has yet to open source SteamOS i think. You can correct me on that people. But with that I dont see it coming to fruition anytime soon. This threat model is the “I have nothing to hide” (which yes I agree is a really bad excuse that has spread in the starting generations of the digital world).

For the love of god try to listen to what we’re saying rather than trying to quadruple down (and ongoing), As you can see I am not alone in this.
If we put privacy by bits, it’s like a quantum bit, not a normal bit.

Good point. I think at the end of the day, we know our situation the best. As long as we get more folks conscious about privacy, the more everyone gets protected. And maybe FOSS alternatives can get more popular or mainstream!

Every possible entity is either watching you or not watching you. You could make it more binary, each entity is watching your IP address or not watching your IP Addresss, and enumerate this for every piece of information about you. This is indeed a fact, and a binary outcome.

Now, throw in a threat model. Assign weight (importance) to each outcome result of the above information. For you, maybe it’s 100% important, maybe it’s 20% important to someone else. Aggregate, by some formula, all binary decisions with all weight you’ve assigned as functions which take in mitigation techniques, whereas each mitigation mutates the outcome by risk of exposure, not doing it right, how much it mitigates, etc. Compose multiple mitigation techniques together, execute binary models, and view deltas of the outcome of combing mitigation techniques. Determine which series of mitigation techniques lead to the lowest possible value. This is pseudo representation of the recommendations provided by PG.

It’s no longer binary.

I have a lot of thoughts on this (which should probably culminate in a blog post sometime), but I’ll try to be brief.

Software attestations (which typically include a digital signature, signed by developer or a commercial redistributor of open source software) are important for any software supply chain solution. (I don’t believe that random open source devs should bear the responsibility of being treated as “critical infrastructure”, of course. That’s why commercial redistributors are mentioned.)

One type of attestation that’s useful is, “Is this binary reproducible from the source code?” and that’s much easier to accomplish with open source software. See also: reproducible builds.

Another type of attestation are called witness co-signatures (at least in SigSum parlance). You can get witnesses that merely audit the transparency log that artifact hashes and signatures are committed to, or you can have attestations that look like:

I, ${security_vendor}, have reviewed the software at ${git_commit_hash} on ${date} and did not identify any obvious malware or crypto-miners.

Or more ambitiously:

I, ${security_vendor}, have audited the software at ${git_commit_hash} on ${date}, the report is available at ${url}.

And that obviously gives you a higher level of assurance than proprietary software, in a way that’s provable. Additionally, such infrastructure provides a tangible mechanism for Linus’s Law (which is paraphrased as, “with enough eyeballs, all bugs are shallow”).

Instead of putting faith into Linus’s Law with open source software, such a software supply chain actually provides visibility into whether software is even being spot-checked or not. And if a security vendor is lying about their spot checks, they’ve already staked their reputation on it by publishing it on the same append-only transparency log that other attestations are distributed through.

If we had such a system in place, using closed-source software would be an objectively stupid idea.

We don’t live in that world today. We might someday soon. (After Python’s ecosystem has succeeded at adopting PEP 740, focus can expand towards other programming languages and package managers.)

Privacy tools are high-value targets for governments and corporations that want to spy on people. If a tool isn’t open source, we can never get it into that world.

Thus, in the long term, I believe that prioritization should increasingly weigh on transparency for the developers. Whether we’re already past the tipping point, I can’t say for sure. But I hope this provides a bit of insight from the perspective of a cryptography nerd focused on real-world problems.

(Originally posted in the wrong thread.)